alibabacloud-automation · shanye997 · Jul 31, 2025 · Jul 30, 2025
diff --git a/solution/tech-solution/fdaaco/README.md b/solution/tech-solution/fdaaco/README.md
@@ -0,0 +1,49 @@
+## Introduction
+<!-- DOCS_DESCRIPTION_CN -->
+本示例用于实现解决方案[文件下载加速及成本优化](https://www.aliyun.com/solution/tech-solution/fdaaco), 涉及到内容分发网络（CDN）、云解析（DNS）、对象存储服务（OSS）等资源的部署。
+<!-- DOCS_DESCRIPTION_CN -->
+
+<!-- DOCS_DESCRIPTION_EN -->
+This example is used to implement solution [File Download Acceleration and Cost Optimization](https://www.aliyun.com/solution/tech-solution/fdaaco), which involves the creation and deployment of resources such as Content Delivery Network (CDN), Alibaba Cloud DNS, Object Storage Service (OSS).
+<!-- DOCS_DESCRIPTION_EN -->
+
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_alicloud"></a> [alicloud](#provider\_alicloud) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [alicloud_cdn_domain_config.domain_config1](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cdn_domain_config) | resource |
+| [alicloud_cdn_domain_config.domain_config2](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cdn_domain_config) | resource |
+| [alicloud_cdn_domain_config.domain_config3](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cdn_domain_config) | resource |
+| [alicloud_cdn_domain_new.domain](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cdn_domain_new) | resource |
+| [alicloud_dns_record.domain_record](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/dns_record) | resource |
+| [alicloud_oss_bucket.oss_bucket](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket) | resource |
+| [alicloud_ram_policy.policy](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_policy) | resource |
+| [alicloud_ram_role.role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role) | resource |
+| [alicloud_ram_role_policy_attachment.attach](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role_policy_attachment) | resource |
+| [random_integer.default](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
+| [alicloud_cdn_service.open_cdn](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/data-sources/cdn_service) | data source |
+| [alicloud_oss_service.open_oss](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/data-sources/oss_service) | data source |
+| [alicloud_ram_roles.default](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/data-sources/ram_roles) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | 存储空间名称前缀，长度为3~63个字符，必须以小写字母或数字开头和结尾，可以包含小写字母、数字和连字符(-)。需要全网唯一性，已经存在的不能在创建。 | `string` | `"bucket-example"` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | 域名（当前阿里云账号下已备案的域名，不包含前缀） | `string` | n/a | yes |
+| <a name="input_domain_prefix"></a> [domain\_prefix](#input\_domain\_prefix) | 域名前缀 | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | 地域 | `string` | `"cn-hangzhou"` | no |
+| <a name="input_scope"></a> [scope](#input\_scope) | 选择加速区域。加速区域为仅中国内地和全球时，服务域名必须备案。 | `string` | `"domestic"` | no |
+<!-- END_TF_DOCS -->
diff --git a/solution/tech-solution/fdaaco/main.tf b/solution/tech-solution/fdaaco/main.tf
@@ -0,0 +1,162 @@
+data "alicloud_cdn_service" "open_cdn" {
+  enable = "On"
+}
+
+data "alicloud_oss_service" "open_oss" {
+  enable = "On"
+}
+
+resource "random_integer" "default" {
+  min = 100000
+  max = 999999
+}
+
+resource "alicloud_oss_bucket" "oss_bucket" {
+  bucket = "${var.bucket_name_prefix}-${random_integer.default.result}"
+}
+
+resource "alicloud_cdn_domain_new" "domain" {
+  domain_name = "${var.domain_prefix}.${var.domain_name}"
+  cdn_type    = "web"
+  scope       = var.scope
+  sources {
+    content  = "${alicloud_oss_bucket.oss_bucket.id}.${alicloud_oss_bucket.oss_bucket.extranet_endpoint}"
+    type     = "oss"
+    priority = 20
+    port     = 80
+    weight   = 10
+  }
+}
+
+resource "alicloud_cdn_domain_config" "domain_config1" {
+  domain_name   = alicloud_cdn_domain_new.domain.domain_name
+  function_name = "filetype_based_ttl_set"
+  function_args {
+    arg_name  = "file_type"
+    arg_value = "jpg,png,jpeg"
+  }
+  function_args {
+    arg_name  = "weight"
+    arg_value = "99"
+  }
+  function_args {
+    arg_name  = "ttl"
+    arg_value = "7776000"
+  }
+}
+
+resource "alicloud_cdn_domain_config" "domain_config2" {
+  domain_name   = alicloud_cdn_domain_new.domain.domain_name
+  function_name = "l2_oss_key"
+  function_args {
+    arg_name  = "private_oss_auth"
+    arg_value = "on"
+  }
+  function_args {
+    arg_name  = "perm_private_oss_tbl"
+    arg_value = ""
+  }
+}
+
+resource "alicloud_cdn_domain_config" "domain_config3" {
+  domain_name   = alicloud_cdn_domain_new.domain.domain_name
+  function_name = "image_transform"
+  function_args {
+    arg_name  = "filetype"
+    arg_value = "jpeg"
+  }
+  function_args {
+    arg_name  = "webp"
+    arg_value = "off"
+  }
+  function_args {
+    arg_name  = "orient"
+    arg_value = "off"
+  }
+  function_args {
+    arg_name  = "slim"
+    arg_value = "90"
+  }
+  function_args {
+    arg_name  = "enable"
+    arg_value = "on"
+  }
+}
+
+resource "alicloud_dns_record" "domain_record" {
+  name        = var.domain_name
+  host_record = var.domain_prefix
+  type        = "CNAME"
+  value       = alicloud_cdn_domain_new.domain.cname
+}
+
+# 授权CDN访问OSS
+data "alicloud_ram_roles" "default" {
+  name_regex = local.AliyunCDNAccessingPrivateOSSRole.name
+}
+
+resource "alicloud_ram_role" "role" {
+  count                       = length(data.alicloud_ram_roles.default.names) > 0 ? 0 : 1
+  role_name                   = local.AliyunCDNAccessingPrivateOSSRole.name
+  assume_role_policy_document = local.AliyunCDNAccessingPrivateOSSRole.document
+  description                 = local.AliyunCDNAccessingPrivateOSSRole.description
+}
+
+resource "alicloud_ram_policy" "policy" {
+  policy_name     = "${local.AliyunCDNAccessingPrivateOSSRolePolicy.name}-${alicloud_oss_bucket.oss_bucket.id}"
+  policy_document = local.AliyunCDNAccessingPrivateOSSRolePolicy.document
+  description     = local.AliyunCDNAccessingPrivateOSSRolePolicy.description
+}
+
+resource "alicloud_ram_role_policy_attachment" "attach" {
+  role_name   = local.AliyunCDNAccessingPrivateOSSRole.name
+  policy_name = alicloud_ram_policy.policy.policy_name
+  policy_type = "Custom"
+
+  depends_on = [alicloud_ram_role.role]
+}
+
+locals {
+  AliyunCDNAccessingPrivateOSSRole = {
+    name        = "AliyunCDNAccessingPrivateOSSRole"
+    description = "用于CDN回源私有OSS Bucket角色的授权角色"
+    document    = <<-JSON
+    {
+      "Statement": [
+        {
+          "Action": "sts:AssumeRole",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": [
+              "cdn.aliyuncs.com"
+            ]
+          }
+        }
+      ],
+      "Version": "1"
+    }
+    JSON
+  }
+  AliyunCDNAccessingPrivateOSSRolePolicy = {
+    name        = "AliyunCDNAccessingPrivateOSSRolePolicy"
+    description = "用于CDN回源某一私有OSS Bucket角色的授权策略，包含OSS的只读权限"
+    document    = <<-JSON
+    {
+      "Version": "1",
+      "Statement": [
+        {
+          "Action": [
+            "oss:List*",
+            "oss:Get*"
+          ],
+          "Resource": [
+                "acs:oss:*:*:${alicloud_oss_bucket.oss_bucket.id}",
+                "acs:oss:*:*:${alicloud_oss_bucket.oss_bucket.id}/*"
+          ],
+          "Effect": "Allow"
+        }
+      ]
+    }
+    JSON
+  }
+}
diff --git a/solution/tech-solution/fdaaco/outputs.tf b/solution/tech-solution/fdaaco/outputs.tf
@@ -0,0 +1,14 @@
+output "accelerate_domain_name" {
+  description = "加速域名"
+  value       = alicloud_cdn_domain_new.domain.domain_name
+}
+
+output "cname_domain_name" {
+  description = "CNAME域名"
+  value       = alicloud_cdn_domain_new.domain.cname
+}
+
+output "origin_server" {
+  description = "源站"
+  value       = "${alicloud_oss_bucket.oss_bucket.id}.${alicloud_oss_bucket.oss_bucket.extranet_endpoint}"
+}
diff --git a/solution/tech-solution/fdaaco/provider.tf b/solution/tech-solution/fdaaco/provider.tf
@@ -0,0 +1,3 @@
+provider "alicloud" {
+  region = var.region
+}
diff --git a/solution/tech-solution/fdaaco/variables.tf b/solution/tech-solution/fdaaco/variables.tf
@@ -0,0 +1,31 @@
+variable "region" {
+  description = "地域"
+  type        = string
+  default     = "cn-hangzhou"
+}
+
+variable "bucket_name_prefix" {
+  type        = string
+  description = "存储空间名称前缀，长度为3~63个字符，必须以小写字母或数字开头和结尾，可以包含小写字母、数字和连字符(-)。需要全网唯一性，已经存在的不能在创建。"
+  validation {
+    condition     = can(regex("^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$", var.bucket_name_prefix))
+    error_message = "必须为3-63个字符，以小写字母或数字开头和结尾，可包含小写字母、数字和连字符(-)"
+  }
+  default = "bucket-example"
+}
+
+variable "domain_name" {
+  description = "域名（当前阿里云账号下已备案的域名，不包含前缀）"
+  type        = string
+}
+
+variable "domain_prefix" {
+  description = "域名前缀"
+  type        = string
+}
+
+variable "scope" {
+  type        = string
+  description = "选择加速区域。加速区域为仅中国内地和全球时，服务域名必须备案。"
+  default     = "domestic"
+}